Professional Documents
Culture Documents
Continuous
Risk Management
Guidebook
Audrey J. Dorofee
Julie A. Walker
Christopher J. Alberts
Ronald P. Higuera
Richard L. Murphy
Ray C. Williams
Preface
Background The Software Engineering Institute (SEI), a federally funded research and development
center and part of Carnegie Mellon University in Pittsburgh, Pennsylvania, has been
formally studying and developing risk management concepts since January, 1990 as an
efficient means to improve the success of programs developing software-intensive
systems.
As the acquisition community streamlines and adopts new, more effective paradigms, we
see cooperative approaches such as team risk management gaining acceptance and use.
Why a Book Although we could have waited for the completion of work on Team Risk Management
on and produced one guidebook, we felt that there was a community that needed to know
Continuous about risk management within a project, how to perform it, and how to implement it. In-
deed, the first draft of this guidebook was the Team Risk Management Guidebook; it was
Risk
too much for one book, and too confusing for our audience. So we split it into two books
Management? and concentrated on completing the Continuous Risk Management part first. The purpose
was to put into the hands of the community a book that would enable them to implement
risk management within projects. Joint risk management between customers, suppliers,
and subcontractors could be addressed later.
Another reason for publishing this guidebook now is that risk management is a key prac-
tice within the framework of the Software Acquisition Capability Maturity Model (SA-
CMMSM)1 and is expected to become a key process area within the Software Capability
Maturity Model (SW-CMMSM)2 in the future.
Book Purpose The purpose of this guidebook is to explain what Continuous Risk Management is; to
and Scope help you understand the principles, functions, methods, and tools; to show what it could
look like when implemented within a project; and to show you how a project could im-
plement its own adaptation. The intent is not to provide a “cookie-cutter” answer for ev-
eryone. There is no such answer. This is a generic practice with a variety of methods and
tools from which to choose. It is meant to be adapted to suit an organization and a project.
i
Part 2
Is Anything Just as no “solution” fits all problems, no guidebook could hope to be complete for all
Else Needed? readers and their needs. Additional or supplementary training may be required or desired
by some organizations. Organizations can accelerate their adoption of these practices
through a service to adapt the risk management practice documented in this guidebook.
Does everyone need these services? No; but we intend to provide them for those who do.
Intended Everyone in a project needs to actively participate for risk management to be effective.
Audience Therefore, this guidebook, whole or in part, is aimed at everyone involved in a project. It
is also targeted towards sponsors of change and improvement as well as change agents
and champions who help the process of improvement and transition. Not everyone needs
to read the entire guidebook. Part 1 provides a detailed table identifying which parts
should be read by whom.
Where Did The contents of this book are a compilation of what we have read, learned, tested, and
This Come experienced over the last six years. Many clients have contributed, in varying degrees, to
From? the methods, guidelines, and tips in this book. Observations of successes and failures
clarified the principles that we use. Successful and less-than-successful experiments with
clients helped us to refine and develop new methods and tools that are, we hope, of a prac-
tical nature.
What We We hope that readers will be able to take the ideas presented here and implement a
Hope You Get successful risk management practice in their projects and organizations, achieving
From this improvements in their ability to deliver quality systems on-time and within budget. But
even if all you take from this book is a handful of ideas to help you improve your
Book
practices, we will consider the book a success.
Where We Go As we continue to work with clients and expand our use of the World Wide Web, we in-
From Here tend to produce at least one, perhaps two, more versions or addendums to this guidebook,
focusing on new methods and tools. The rapid expansion of the capability embodied in
the World Wide Web holds promise for promoting and collecting best practices and new
methods. So although the exact media by which additional information about Continuous
Risk Management will be provided to the community is unknown, we do intend to pro-
vide it.
Final Words We sincerely hope you will find this book to be of use to you. We welcome any and all
feedback from our readers (see Chapter 20, Section 2).
2. CMM and Capability Maturity Model are service marks of Carnegie Mellon University.
ii
Table of
Contents
Table of Contents
Preface i
Acknowledgments iii
Part 1 Introduction 1
Chapter 1 Introduction to Continuous Risk Management 3
Chapter 2 How to Use This Guidebook 11
v
Table of
Contents
References 241
Glossary 245
vi
Table of
Contents
Index 543
vii
Part 1
Chapter 2
Section 1
Section 1
Software vs. This guidebook primarily deals with performing Continuous Risk Management with a
System Risk software development focus but can also be used to address systems, hardware, and other
Management domains. Only a few of the methods are specifically focused on software.
Guidebook This guidebook separates the “what” of risk management from the “how to do it.” The
Organization following table outlines the guidebook organization.
Guidebook This document was structured and formatted based on the guidelines and formats provid-
Format ed by an Information Mapping® seminar given by Information Mapping, Inc. The most
visible aspect of this format is the use of labels for each block of information to enable
the reader to quickly scan the document for relevant information. The document is divid-
ed into five major parts, each part having chapters, each chapter having sections. Parts
and chapters each start with a detailed list of the contents.
Part 2: What is Part 2 provides the foundation for what the SEI Risk Management Program means by
Continuous Continuous Risk Management. Risk terminology is defined and the SEI risk management
Risk paradigm (see diagram below) is described. A chapter is devoted to each paradigm func-
tion, which includes a function diagram (see diagram below) outlining the required inputs
Management?
to the function, any constraints, supporting information, the activities involved, and the
output. Associated methods and tools are listed and described in detail in the appendix.
12
Part 1
Chapter 2
Section 1
Constraints
t r ol
Con
I
de
ntify
Functions
Track
Input • Output
Communicate • activities
•
Ana
l
yz
n e
Pla
Supporting information
Part 3: Part 3 provides one view of Continuous Risk Management implemented within a project.
Continuous Risk An example implementation (see diagram below) is used to provide a framework for
Management: showing how an organization might tailor the Continuous Risk Management practice to
fit their environment. Internal and external risk communication on a project is discussed
Example
and a risk example is taken through a life-cycle from identification through closure.
Implementation
Organization structure
Internal communications
External communications
Example Implementation
13
Part 1
Chapter 2
Section 1
Part 4: How to Part 4 focuses on how an organization can implement Continuous Risk Management
Get Started in within a project. An application roadmap (see diagram below) is provided describing
Continuous what aspects to work on first and how to continue to build an effective risk management
practice including helpful guidelines and tips.
Risk
Management
ESTABLISH INSTALL
SPONSORSHIP START IMPROVE
Part 5: Part 5 summarizes the activities for each function of the paradigm (described in Part 2),
Summary and the key elements of a successful implementation of Continuous Risk Management (de-
Conclusions scribed in Part 3), and the key elements for implementing Continuous Risk Management
(described in Part 4). Considerations for future directions in work at the SEI on risk man-
agement are also presented.
Appendix: The appendix contains all the methods and tools referenced throughout this guidebook.
Methods and Methods provide systematic approaches to performing the Continuous Risk Management
Tools processes and include procedures and guidelines and tips. Tools include templates and
forms along with an example. Tools described within methods are either tools that are
specific to the method or are examples of more general tools described elsewhere in the
appendix.
Method Tool
• description • description
• when to use • how to use
• procedure • example
• tools (if applicable)
• guidelines and tips
14
Part 1
Chapter 2
Section 2
Section 2
15
Part 2
Chapter 4
Section 1
Section 1
What Is Identification?
Description Identification is a process of transforming uncertainties and issues about the project into
distinct (tangible) risks that can be described and measured. Identifying risks involves
two activities:
• capturing a statement of risk
• capturing the context of a risk [Gluch 94a]
Note: Context provides additional information about the circumstances of the risk.
Objective The objective of risk identification is to locate risks before they become problems and to
incorporate this information into the project management process.
Diagram The following diagram shows the inputs and outputs of the Identify function.
Statement of risk
Context
Individual
uncertainties
Identify
• capture statement
of risk
• capture context of
risk
List of risks
Group/team
uncertainties
Project
data
Data Items The following table describes the data items of the Identify function.
28
Part 2
Chapter 4
Section 1
Risk A unique risk identifier is generally used to help keep track of risks that have been iden-
Identifiers tified and are going to be managed. This can be a number, project name and number com-
bination, or some other unique combination of letters and numbers.
Methods and This table provides a summary of the methods and tools used for each activity. More de-
Tools tails are provided in subsequent sections of this chapter and chapters in the appendix.
29
Appendix A
Appendix A
Methods and Tools
Control
• Cause and Effect Analysis
• Closing a Risk
• Cost-Benefit Analysis
• List Reduction
Risk Management Plan • Mitigation Status Report
A Risk Management Plan documents • Multivoting
how risks will be managed on a • PERT Charts
project: the process, activities, • Problem-Solving Planning
milestones, and responsibilities • Risk Information Sheet
associated with risk management. It is a subset of the • Spreadsheet Risk Tracking
project plan and is written before the project begins. • Stoplight Chart
Identify
• Baseline Identification and Analysis
• Brainstorming
• Periodic Risk Reporting
t r ol
Con • Project Profile Questions
I • Risk Form
de
• Stoplight Chart
l
yz
• Time Correlation Chart
n e
Pla
• Time Graph
Plan Analyze
• Action Item List • Affinity Grouping
• Baseline Planning • Bar Graph
• Planning Decision Flowchart • Baseline Identification and Analysis
• Planning Worksheet • Binary Attribute Evaluation
• Problem-Solving Planning • Comparison Risk Ranking
- Affinity Grouping • Multivoting
- Brainstorming • Pareto Top N
- Cause and Effect Analysis • Potential Top N
- Cost-Benefit Analysis • Risk Form
- Gantt Charts • Risk Information Sheet
- Goal-Question-Measure • Taxonomy Classification
- Interrelationship Digraph • Top 5
- List Reduction • Tri-level Attribute Evaluation
- Multivoting
- PERT Charts
- Work Breakdown Structure
• Risk Information Sheet
251